14 DAY TRIAL // A security researcher with Core Security Technologies is responsible for the discovery of a URL Parsing Cross-Domain Information Disclosure vulnerability in Outlook Express and Windows Mail, which directly impacts Internet Explorer. According to Core Security Technologies, all supported versions of IE, including IE 5, 6 and 7, for Windows 2000/2003/XP, and IE 7 for Windows Vista, along with the beta versions of IE 8, can potentially put users at risk.
The vulnerability in Microsoft's two variants of the Windows email client causes the MHTML protocol handler to erroneously handle MHTML URL redirections. In this regard, the domain restrictions associated with Internet Explorer could be bypassed when dealing with MHTML content. In this scenario, malicious code hosted on specially crafted pages could find its way onto the users' machines, as unknown URLs are considered to be, ex officio, trusted addresses.
"The discovery of this vulnerability in IE highlights that no vendor is immune to the perils of Web browser software security," said Ivan Arce, CTO at Core Security Technologies. "Today's web browsers expose a significant attack surface and have complex interactions with other components of the operating system. Even after extensive and systematic scrutiny during the software development lifecycle vendors may fail to identify serious flaws such as this one."
The URL Security Zones, a security feature enabled by Microsoft, allows users to apply some restrictions, depending on the level of security that websites are automatically labeled with. Core Security discovered that, when remote websites tried to access some local resources on the computer that used the browser versions that were indicated as being flawed, Security Zones failed to detect the real level of threat. In this case, hijackers can gain access to certain resources on the affected computer, without users even being aware of it.
On August 12, Microsoft released several security updates available for all affected versions. The patches can be downloaded from the website of the Redmond-based company.